Musings of Jason Jones

Tag Archives: pki

I recently became involved in a project to get SCCM working on all our endpoints in various DMZ’s. These servers are all in workgroups in DMZ’s so can’t use the standard method of using the Certificate MMC Snap-in to enroll in certificates (needed to encrypt the SCCM communication).

In case you aren’t aware, to do a Computer-based certificate request you need to do the following:

create an INF file that includes all the information for your certificate template

create the .cer request based off of the INF

submit it to your PKI server

download the completed cert and complete the request

export the request to a pfx file

In the case of our scenario where your DMZ box needs a certificate issued by your internal PKI you need to create and submit the request from a domain joined machine by an account with access to enroll in the certificate. Then you have to export the certificate and import it into the DMZ server directly. You also have to import your certificate chain into the DMZ machine, but that’s relatively easy and I’m not going to cover it in this article.

The rest of the commands are pretty obvious how to read from the code, but essentially it throws out a bunch of certreq commands to create and submit the certificate request and then export it to the pfx we need to ultimately copy to the new DMZ box. And then it cleans up after itself and deletes the working files.

To import our trusted root certificates into the DMZ box, run the following commands: